OK so it seems there are a few ways to mitigate this outside of changing our XP Firewall group policy:
Disable split tunnelling - not a firewall but seems to have the effect of making the client appear invisible to its local subnet?
Use Host Checker Connection Control - great, fantastic... needs admin rights!!!
Does anyone know if the Connection Control can be made to work without admin rights by tweaking priviledges using Group Policy?
Doesn't the Juniper Installer service solve the problem?
This is a small application that should be installed on the PC with admin rights. Afterwards Juniper signed component can use this application to gain admin rights
I don't think it's that - NLA seems to detect that the machine is on a "foreign" network until Network Connect launches and gpupdate eventually runs/kicks in.